WordPress is the world’s most popular content management system online today. Consider a few of these stats straight from the platform:
- 409 million. The number of people who view WordPress sites each month.
- 14.4 billion. The number of page views on WordPress sites each month.
- 42.6 million. The number of new posts created each month on WordPress.
- 51.6 million. The number of new comments posted each month to WordPress sites.
WordPress attackers know that by attacking WordPress vulnerabilities, they can take over sites and use them to cause a lot of damage in a short amount of time. For example, in March 2014, a cyber security firm discovered that attackers had hijacked 162,000 WordPress sites and had turned them into botnets for DDoS attacks. A cyber attacker could gain access to your WordPress account using any of these three access points:
3 Access Points for WordPress Attacks
1. Vulnerable Environments
You and other members of your organization access your WordPress account using desktops, laptops, and mobile devices. A compromised device could provide a backdoor for an attacker to vandalize your WordPress site. For example, if you’ve downloaded keylogger malware onto your computer, an attacker could record your keystrokes and figure out your WordPress password. Then, the hacker could log onto your dashboard and insert malicious code into your site.
Another vulnerable environment for your WordPress site is the server that hosts it. The server, the facility it’s stored in, and any software it runs could inadvertently allow an attacker to vandalize your WordPress site. Ask your hosting provider if it offers these important security features:
- Does the host run stable versions of the web server and software on the server?
- Is there a server-level firewall?
- Is the server kept under lock and key for limited physical access?
- Does your server use SFTP for FTP file transfer?
- Does it keep any MySQL databases secure?
- Does it create a unique database for each new blog installation?
- Does it frequently backup your files?
2. Unprotected Admin Access
Once an attacker has your admin login and password, he or she can do anything to alter your website or access files related to you and your customers. Take these steps to protect your admin panel from attackers:
- Add two-factor authentication (2FA). You can use a password manager or something as simple as Google Authenticator to add a layer of protection to the login process. Installing these programs will provide an additional numeric code when you log in to supplement your username and password. Since most WordPress attacks are carried out by bots, 2FA is an easy defense against a computer that could guess your password.
- Security plugins. Use WordPress security plugins, such as SecureScanPRO that require human input in order to login. This could be an added captcha or authentication code.
- Change the admin username. “Admin” is the username automatically created when you set up your WordPress blog or website. Log into your admin panel, add a new user, and assign admin privileges to that user. Then, delete the “admin” user. Or alternatively, just make these changes at the time of installation.
3. Out-of-Date Software
If you fail to update your WordPress software, your themes, or your plugins, you could be leaving your WordPress site vulnerable to attack. When you log into your dashboard, always notice whether updates are available and install them when they are without delay. You might think that you don’t have time to download updates, but a few moments spent updating your tools could prevent significant downtime from a cyber attack.
Keeping Your WordPress Site Secure
Make sure to visit your WordPress site frequently to ensure that it hasn’t been vandalized. You can also use WordPress security scanner plugins that will regularly review your site for malware and attacks in progress. A hacked WordPress site could mean not only lost revenue, but also significant damage to your reputation. Fortunately, you have many effective tools at your disposal for protecting your WordPress site.
